If you’re a Department of Defense contractor, or hoping to win a DoD contract, you’ll need to comply with the Cybersecurity Maturity Model Certification (CMMC) standard.
CMMC has been updated several times since CMMC Version 1.0 was released in January 2020. The current version (Version 2.0) describes three maturity levels, and how they impact compliance requirements.
The three levels of CMMC range from foundational to expert:
You’ll need to implement 17 cybersecurity controls as described in the Federal Acquisition Regulation 52.204.21. You will also need to provide annual self-assessments to affirm compliance.
110 cybersecurity controls will need to be implemented from NIST SP 800-171. While select programs can be self-assessed for compliance annually, you must also be assessed for compliance by a Certified Third-Party Assessor Organization (C3PAO) every three years.
This is the most challenging level, applicable to those companies contracting in the highest priority and highest-security contracts. At this level, it’s likely that you will need to adopt more than 172 cybersecurity controls. As with level 2, you must be third-party assessed every three years, though these will be government led.
There are three steps to prepare for CMMC:
The first step is to figure out which CMMC level is appropriate to your company. Guidance from DoD suggests that most companies will fall under levels 1 or 2 (around 99%+). You should refer to CMMC documentation to assess which level is right for you.
At this step, you should:
Understand CMMC requirements
Identify your business scope
Identify the maturity level you fall under
The CMMC Accreditation Body has established a roadmap for CMMC assessment and certification. It suggests that you should begin the process at least six months in advance of your need to be CMMC certified.
Partnering with a cybersecurity firm will ensure that you don’t miss any updates to the continuously evolving CMMC certification requirements. It will help you prepare for certification, undertaking gap analysis and making specific recommendations to guide you to full compliance.
At Millennium Tech USA, we have the experience, expertise, and accreditations to ensure your successfully navigate the complex process of CMMC certification.
As a first step, we will conduct a readiness assessment to evaluate how close you are to compliance, and what measures must be taken to fill any existing gaps. We will develop a remediation plan, documenting processes that fall short of the required standards, and making recommendations to improve them and bring them up to the required standards.
CMMC certification will be required for DoD contracts. If you are not properly prepared to pass your assessment, you risk losing your existing DoD contracts – and you won’t be able to win new contracts until you are CMMC certified. And that could take 12 months or longer.
When you want to become CMMC certified and win DoD contracts, it’s best to follow the old military adage of the 6Ps:
“Proper planning and preparation prevent poor performance”
Contact Millennium Tech USA today to learn how we can help you plan and prepare to excel in your CMMC performance.
Millennium Tech USA
2021 © Millennium Tech USA All Rights Reserved. |